MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd39f14948021a7f17de30d38f334142b9f7c26c2fffb174f689bccddce94b29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd39f14948021a7f17de30d38f334142b9f7c26c2fffb174f689bccddce94b29
SHA3-384 hash: eadd0014c7c47a48994e453adbf0f1b75c86e328f9c37f798350f3a105080aca64b5690bba95d3b946360bbb5ab32dae
SHA1 hash: 879c99f1207b31cb2109c381dab00182245317ce
MD5 hash: 586855728fac4c518ff22837104ffc55
humanhash: kitten-muppet-william-happy
File name:586855728fac4c518ff22837104ffc55.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:236'032 bytes
First seen:2022-03-22 19:00:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:9vu6B0bj5DPbS97W+7rQwNz2oTG+pO3Ze6QaAGRqKnojdV9:9Ybj5b2FWQrHNN903ZAOqKopV
Threatray 14'347 similar samples on MalwareBazaar
TLSH T16B3483133880899CDE6D95F7B2178174338ADCBFD258A7186BC873935EE2EA10436B57
File icon (PE):PE icon
dhash icon b28894bab29eea6e (2 x Formbook)
Reporter abuse_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
New Order (PO Ref 01002020).xlsx
Verdict:
Malicious activity
Analysis date:
2022-03-22 14:01:35 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan formbook stealer
Link:
https://app.any.run/tasks/0f2023ba-eb9b-466d-9e4c-7cae42e1463b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/255101/
Detection(s):
SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623a1d0c0cd58dbd92d8c0c2/reports/4559acd8-9c07-4620-ac9b-334aefd31b07/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d7c5304-fb97-468c-8ae5-8e14a21e22ca
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962060
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd39f14948021a7f17de30d38f334142b9f7c26c2fffb174f689bccddce94b29/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 16:54:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
21 of 26 (80.77%)
Threat level:
  3/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
39586764971f496d274f3d453029954720962ed36672050b742aef8b4e68a78e
Formbook
48b9bb721ab60fa9fc9feecef6c4e513b4bfc2049c72f187bdea927b20aa3898
Formbook
53685ac5f275b61fc580f2203e7d7e431d2b03b8e4320015b428745d68d5e333
Formbook
54d3a5ab9cf83b63a50a382b1f3fe4f2bdc03620744b9ecdee74723415fccd9d
Formbook
6e164cb51ca6a0c1c9c27d4d4fece6d970bfe924be2f5766fd2d04bd59fe0d6e
Formbook
6f0508408689f77795e27f5320115355744c6b7d02cf59197dae8646bc73f267
Formbook
779f51468b459d7e4fa2fb6dafabd1771416f00bdd0ad587b1f3119da41edd5e
Formbook
95c771c632d3d8501bcb90643f6587624eb5c5773557eeceb34bb08872cbd3cd
Formbook
bc7cf974c3cfb35a9e7f4abff78a9c68ae6a9ecb2eb78725adfd3ef6db6d6e0a
Formbook
ca77df966e202e0eab6d3c2280f95fb59aee28b5e9e540be3dca1d66c46bf2af
Formbook
+ 14'337 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:vfm2 loader rat
Link:
https://tria.ge/reports/220322-xn824aggb7/
Behaviour
Delays execution with timeout.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Xloader Payload
Xloader
Unpacked files
SH256 hash:
dd39f14948021a7f17de30d38f334142b9f7c26c2fffb174f689bccddce94b29
MD5 hash:
586855728fac4c518ff22837104ffc55
SHA1 hash:
879c99f1207b31cb2109c381dab00182245317ce
Link:
https://www.unpac.me/results/3e49bb03-47b9-4f9b-87f3-7af8a465899b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/dd39f14948021a7f17de30d38f334142b9f7c26c2fffb174f689bccddce94b29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe dd39f14948021a7f17de30d38f334142b9f7c26c2fffb174f689bccddce94b29

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2111136/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/255101/

Comments